IN THE CLAIMS 



1 . (Currently Amended) A computer program product for automatically determining 
if a packet is a new, exploit candidate, saidthe computer program product comprising: 

a computer-readable tangible storage devic e medium ; 

first program instructions to determine if sa&the packet is a known exploit-ef 
portion thereof ; 

second program instructions to determine if sakkhe packet is addressed to a 
broadcast IP address of a network;-and 

third program instructions to determine if sa&the packet is network administration 

traffic; 

fourth program instructions, responsive to saidthe packet being a -known exploit 
or portion thereof, OR the packet being addressed to a broadcast IP address of a network T 
OR the packet beinge f network administration traffic to determine that sa&the packet is 
not -a new, exploit candidate; and 

fifth program instructions, responsive to sakkhe packet not being a known exploit 
or portion thereof, AND the packet not being addressed to a broadcast IP address of a 
networks AND the packet not being network administration traffic AND e r -the packet not 
being another type of traffic known to be benign, to determine and report that saidthe 
packet is a new, exploit candidate; and wherein 

sa&the first, second, third, fourth and fifth program instructions are stored 
embodi e d on sa&the computer-readable tangible storage device modium . 
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2. (Currently Amended) TheA computer program product of as set forth in claim 1 
further comprising: 

sixth program instructions to determine if saidthe packet is web crawler traffic; 
and wherein 

saidthe fourth program instructions are responsive to saidthe packet being a 
known exploit or portion thereof, OR the packet being addressed to a broadcast IP 
address of a network ? OR the packet being network administration traffic OR the packet 
being ef web crawler traffic, to determine that saidthe packet is not a new, exploit 
candidate; and 

saidthe fifth program instructions are responsive to saidthe packet not being a 
known exploit or portion thereof, AND the packet not being addressed to a broadcast IP 
address of a network ? AND the packet not being network administration traffic AND the 
packet not being er web crawler traffic, to determine that saidthe packet is a new, exploit 
candidate; and 

saidthe sixth program instructions are stored embodi e d on saidthe computer- 
readable tangible storage device medium . 

3. (Currently Amended) TheA computer program product o fas set forth in claim 1 
wherein saidthe first program instructions determine if saidthe packet is a known exploit 
or portion thereof by searching saidthe packet for a known signature of saida known 
exploit. 

4. (Currently Amended) TheA computer program product o fas set forth in claim 1 
wherein saidthe first program instructions determine if saidthe packet is a known exploit 
by comparing an identity of saidthe packet to one or more identities, sent by an intrusion 
detection system, of respective packet(s) which saidthe intrusion detection system 
determined to contain a known exploit or portion thereof . 
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5. (Currently Amended) TheA computer program product o fas sot forth in claim 1 
wherein saidthe packet was received by a honevpot computing device at an unused DP 
address, and sa&the computer program product is installed and e xecuted at sa&the 
honevpot computing device. 

6. (Currently Amended) TheA computer program product o fas set forth in claim 1 
further comprising: 

sixth program instructions, responsive to sa&the fifth program instructions 
determining that sa&the packet is a new exploit candidate, to determine a signature of 
sa&thg packet ^ or a sequ e nc e of packets including tho first said packet, and report saidthe 
new exploit candidate and saklthe signature to an administrator; and wherein 

sa&the sixth program instructions are stored embodied on saklthe computer- 
readable tangible storage device medium . 

7. (Currently Amended) TheA computer program product o fas set forth in claim 6 
wherein responsive to tf sa&the fourth program instructions determininge that sa&the 
packet is not a new, exploit candidate, the»-a signature of satethe packet or a sequenc e of 
packets including s aid first packet is not being determined. 

8. (Currently Amended) TheA computer program product o fas set forth in claim 1 
wherein sa&the second program instructions determine if saidthe packet is addressed to a 
broadcast IP address of sa&the network- by comparing a destination DP address of saidthe 
packet to a gateway IP address of the network and a_netmask of sa&the network which 
identifies a broadcast IP address of sa&the network. 
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9. (Currently Amended) AThe computer program product o fas sot forth in claim 1 
wherein: 

sa&the second program instructions also determine if saktthe packet has -a 
protocol listed in -a list of protocols previously determined assum e d to be harmless 
network broadcast traffic; 

saktthg fourth program instructions^ are responsive to saidthe packet being a 
known exploit or portion thereof, OR the packet being addressed to a broadcast EP 
address of a network OR the packet being network administration traffic OR the packet 
e^having a protocol listed in a list of protocols previously determined assum e d to be 
harmless network broadcast traffic, to determine that saidthe packet is not a new, exploit 
candidate; and ■ 

sa&the fifth program instructions-is are responsive to saidthe packet not being a 
known exploit or portion th e reof AND the packet not being addressed to a broadcast IP 
address of a network AND the packet not beinge f network administration traffic ANDaftd 
the packet not having a protocol listed in a list of protocols previously determined 
assum e d to be harmless network broadcast traffic, to determine and report that sa&the 
packet is a new, exploit candidate. 

10. (Currently Amended) TheA computer program product o fas sot forth in claim 1 
wherein saktthe third program instructions determine if sa&the packet is network 
administration traffic by comparing an IP protocol and IP address of saidthe packet to a 
list of combinations of IP protocols and IP addresses previously determined as s um e d to 
be network administration traffic. 

1 1 . (Currently Amended) TheA computer program product o fas sot forth in claim 2 
wherein saidthe sixth program instructions determine if sa&the packet is web crawler 
traffic by comparing an IP address of sakkhe packet to a list of IP addresses of known 
web crawlers. 
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1 2. (Currently Amended) The A computer program product o fas sot forth in claim 1 
further comprising sixth program instructions, responsive to sa&the packet not being a 
known exploi t AND the packet not being network broadcast traffic AND the packet not 
being -addressed to a broadcast IP address of a network AND the packet not being er 
another type of traffic known to be benign, to identify a sequence of packets including the 
first said packet, saidthe sequence of packets being a new, exploit candidate; and wherein 

saktthg sixth program instructions are stored embodied on seethe computer- 
readable tangible storage device medium . 

Claims 13-20 (Canceled) 
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21 . (Currently Amended) A computer program product for automatically determining 
if a packet is a new, exploit candidate, saidthe computer p rogram product comprising: 

a computer-readable tangible storage device medium ; 

first program instructions to determine if sakkhe packet is a known exploit-e? 
portion thereof ; 

second program instructions to determine if sakkhe packet is addressed to a 
broadcast DP address of a network; 

third program instructions to determine if sa&the packet has a protocol listed in a 
list of protocols previously determined assumed to be harmless broadcast traffic; 

fourth program instructions to determine if sakkhe packet is network 
administration traffic; 

fifth program instructions, responsive to sa&the packet being a known exploit-er 
portion ther e of, OR the packet being addressed to a broadcast IP address of a network OR 
the packet being ef network administration traffic OR the packet e p-having a protocol 
listed in a list of protocols previously determined assumed to be harmless broadcast 
traffic, to determine that satethe packet is not a new, exploit candidate; and 

sixth program instructions, responsive to sa&the packet not being a known exploit 
or portion thereof, AND the packet not being addressed to a broadcast IP address of a 
network AND the packet not beinge r network administration traffic AND the packet a nd 
not having a protocol listed in a list of protocols previously determined assumed to be 
harmless broadcast traffic, to determine and report that sa&the packet is a new, exploit 
candidate; and wherein 
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sa&the first, second, third, fourth, fifth and sixth program instructions are stored 
e mbodied on sa&the computer-readable tangible storage device medium , 

22. (Currently Amended) TheA computer program product o fa s set forth in claim 2 1 
further comprising: 

seventh program instructions to determine if sakkhe packet is web crawler traffic; 
and wherein 

saidthe fifth program instructions are responsive to saklthe packet being a known 
exploit or portion th e r e of, OR the packet being addressed to a broadcast EP address of a 
network ; OR the packet being network administration traffic OR the packet being ef web 
crawler traffic OR the packet e Hiaving a protocol listed in a list of protocols previously 
determined assum e d to be harmless broadcast traffic, to determine that saidthe packet is 
not a new, exploit candidate; and 

sa*4the sixth program instructions are responsive to sa&the packet not being a 
known exploi t or portion thereof AND the packet not being addressed to a broadcast DP 
address of a network ? AND the packet not being network administration traffic AND the 
packet not being ef web crawler traffic AND the packet not beinge f other traffic known to 
be benign AND the packet not e ^having a protocol listed in a list of protocols previously 
determined assumed to be harmless broadcast traffic, to determine that saktthe packet is a 
new, exploit candidate; and 

sakkhe seventh program instructions are stored embodied on saidthe computer- 
readable tangible storage device medium . 
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23. (Currently Amended) TheA computer program product o fas set forth in claim 21 
further comprising: 

seventh program instructions, responsive to saidthe sixth program instructions 
determining that sa&the packet is a new, exploit candidate, to determine a signature of 
sa&the packet or a sequence of packets including the first saidthe packet, and report 
sa&the new, exploit candidate and saidthe signature to an administrator; and wherein 

saklthe seventh program instructions are stored embodi e d on sa&the computer- 
readable tangible storage device medium , 

24. (Currently Amended) TheA computer program product o fas sot forth in claim 21 
wherein sa&the second program instructions determine if saidthe packet is addressed to a 
broadcast IP address of saidthe network by comparing a destination IP address of sakkhe 
packet to a gateway IP address of the network and a_netmask of saidthe network which 
identifies a broadcast IP address of saidthe network. 

Please enter new claims 25-28, as follows: 
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25. (New) A computer system for automatically determining if a packet is a new, 
exploit candidate, the computer system comprising: 

one or more processors, one or more computer-readable memories, one or more 
computer-readable tangible storage devices, and program instructions stored on at least 
one of the one or more storage devices for execution by at least one of the one or more 
processors via at least one of the one or more memories, the program instructions 
comprising: 

first program instructions to determine if the packet is a known exploit; 

second program instructions to determine if the packet is addressed to a broadcast 
IP address of a network; 

third program instructions to determine if the packet is network administration 

traffic; 

fourth program instructions, responsive to the packet being a known exploit OR 
the packet being addressed to a broadcast IP address of a network OR the packet being 
network administration traffic, to determine that the packet is not a new, exploit 
candidate; and 

fifth program instructions, responsive to the packet not being a known exploit 
AND. the packet not being addressed to a broadcast DP address of a network AND the 
packet not being network administration traffic AND the packet not being another type of 
traffic known to be benign, to determine and report that the packet is a new, exploit 
candidate. 
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26. (New) The computer system of claim 25 further comprising: 

sixth program instructions, stored on at least one of the one or more storage 
devices for execution by at least one of the one or more processors via at least one of the 
one or more memories, to determine if the packet is web crawler traffic; and wherein 

the fourth program instructions are responsive to the packet being a known exploit 
OR the packet being addressed to a broadcast IP address of a network OR the packet 
being network administration traffic OR the packet being web crawler traffic, to 
determine that the packet is not a new, exploit candidate; and 

the fifth program instructions are responsive to the packet not being a known 
exploit AND the packet not being addressed to a broadcast DP address of a network AND 
the packet not being network administration traffic AND the packet not being web 
crawler traffic, to determine that the packet is a new, exploit candidate. 

27. (New) The computer system of claim 25 wherein the packet was received by a 
honeypot computing device at an unused BP address, and the first, second, third, fourth 
and fifth program instructions are executed at the honeypot computing device. 

28. (New) The computer system of claim 25 further comprising: 

sixth program instructions, stored on at least one of the one or more storage 
devices for execution by at least one of the one or more processors via at least one of the 
one or more memories, responsive to the fifth program instructions determining that the 
packet is a new exploit candidate, to determine a signature of the packet, and report the 
new exploit candidate and the signature to an administrator. 
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